Has Google's Privacy Policy Protected Us From Government Surveillance?

The District Court ruling that Google doesn’t
have to turn over any search records to the Bush administration
isn’t just a victory for Web surfers who don’t like the
thought of being tracked
by the government. It's a victory for anyone who stores data and
doesn’t want to be h

The District Court ruling that Google doesn’t
have to turn over any search records to the Bush administration
isn’t just a victory for Web surfers who don’t like the
thought of being tracked
by the government. It's a victory for anyone who stores data and
doesn’t want to be harassed by lawyers or federal agents.

Google claimed from the start that the case was about privacy
rights, citing both its users’ right not to have their searches
revealed and Google’s own right to make sure its trade
secrets stayed that way. Both of these are important and were enough
to win in court. But the implications for both personal and corporate
privacy go much further than that.

For individuals, the greatest threat to privacy isn’t so
much the search records as what the Bush administration wanted to do
with them--that is, bolster its legal argument in favor of the
Child
Online Protection Act. Despite the name, COPA has nothing
to do with protecting children online. Rather, it requires all Web
sites that contain potentially sexual content to track visitors and
verify that they're over 17. The intent is to censor porn, but
sexual content is defined so vaguely that just about every Web site
could end up requiring age verification.

According to COPA, Web publishers have the option of two tracking
mechanisms. The low-tech solution is to ask all visitors for their
credit card details, which makes the law an even greater gift than
Internet Explorer to
the phishing industry.
(Some sites already use the Act as an excuse to demand credit card
numbers.) The high-tech one is to have the PC itself provide a
digital certificate that identifies the user, probably through a
combination of Trusted
Computing chips and biometric sensors.

Google’s victory won’t in itself stop COPA, of course.
And stopping it might not even be necessary. In 2001, the Supreme
Court decided that the law was unconstitutional (see
PDF or Google
cached HTML) following a challenge from a group of online
publishers led by the ACLU. But it left open the possibility that
future technological advances could change this.

I don’t quite understand how technology can make censorship
and tracking constitutional, let alone how a list of search queries
can prove it, but that appears to be the Bush administration’s
case. If it's somehow valid, Google’s refusal probably won't
make any difference. Microsoft and Yahoo both acquiesced
without a fight. AOL also provided
some data, so the White House already has much of what it wanted.

However, the legal argument that the District Court relied on in
its ruling (PDF
only, so far) could help bolster the ACLU’s case, as well as
that of other organizations that store data and need to stand up to a
subpoena. The Bush administration’s lawyers had argued that it
needs Google’s search records because many people use Google to
search
for porn. District Judge James Ware eventually relied on the same
argument, but turned it in favor of Google.

The Judge’s reasoning is that people have a right to keep
their porn searches private, even if they might not mind Google
sharing some other less embarrassing search terms. (This is contrary
to the stated premise of COPA, which is that everyone who surfs for
smut needs to be tracked.) Because so much of Google’s
business supposedly involves porn, the District Court was concerned
that forcing Google to violate its privacy policy could hurt the
site’s popularity. So privacy policies aren’t meaningless
and unenforceable; they can actually stand up in court, provided
that the company that wrote the policy is willing to stand up, too.

Unfortunately, the Court didn’t get a chance to rule on
Google’s claims about trade secrets. The Bush administration
had already dropped its previous demands (see PDF
of the subpoena posted by SearchEngineWatch,
or Google
cached HTML), which covered details such as how many servers
Google has and what each one of them does. But the ruling does show
that the Court is concerned about the effect on Google’s
business. And the case itself shows that stored data can become a
liability, even if it's successfully protected against black-hat
hackers, malicious insiders, and all the other traditional security
threats.

Google and the other search engines weren't originally involved in
the COPA case; it was just between the Bush administration and the
ACLU-led group. (Unlike most Web sites, Google wouldn’t even be
affected by COPA because it specifically excludes search engines.)
But they became involved once the government saw that their vast
stores of data might prove useful.

Most organizations don’t store as much information as
Google, but their databases could still be tempting, especially with
the growing overlap between people's business and personal lives. The
riskiest is location data, which both prosecutors and defense
attorneys regularly demand from cellular carriers. Businesses
that track and store customers’ or employees’ movements
(online or offline) could find themselves in a similar position,
dragged into both civil and criminal suits.

As Google shows, the best defense is a strong privacy policy, but
it needs to be backed up by a strong legal department and a
willingness to fight. Without those, businesses may be better off not
storing sensitive data at all.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.